I am thinking of using sessions over cookies in my site project, but I saw some internet posts about Session High-Jacking and that sessions in php are insecure.
Can someone elaborate on this?
Is it really something to worry about?
2007-02-03 03:35:43 · 2 answers · asked by ? 3 in Computers & Internet ➔ Programming & Design
There is nothing insecure about sessions that is unique to PHP; writing insecure code and keeping sensitive information where others can see it is possible with any language. The most common beginner's mistake is to leave the directory where PHP stores session data files (it is defined using the session.save_path directive in php.ini) readable via HTTP.
For an in-depth discussion of session security, see the PHP Manual:
http://www.php.net/manual/en/ref.session.php
__________
2007-02-04 11:38:20 · answer #1 · answered by NC 7 · 1⤊ 0⤋
Sessions are not insecure. The insecurity comes from
improper session usage and of course from overrated
risks. Session hijacking is very efficient but not trivial
to implement. It requires knowledge of the ID. This
is only possible by
- on screen display (if id is exposed)
- line snooping (not easy to do)
- access to the server and it's session store
- tricking the user by other means to expose the id
The latter is the most likely but as it suggests. It requires
some social engineering skills or a software flaw that has
nothing to do with sessions in general (x site scripting i.e.)
I could probably fill a book with this but sessions are generally
as safe (if not safer for some usage) and much more flexible
than standard logins. But yes you have to worry about proper
implementation. If you do mistakes it can trash your security.
If you know what you do it's a very flexible way of user
authentication.
2007-02-03 12:13:30 · answer #2 · answered by Alex S 5 · 1⤊ 0⤋